PCI SAQ A

Know what it takes to fill PCI SAQ A

To comply with PCI DSS, your bank may require you to complete a self-assessment questionnaire (SAQ), but there are different types of SAQ surveys for different business types. SAQ types vary depending on how your company receives card data, how payments are managed, and how card data is stored and transmitted.

SAQ A was briefly developed to address requirements applicable to merchants where cardholder data functions are fully outsourced from PCI approved third parties, where merchants only hold reports on paper or statements with cardholder data.

See Also: Choosing the Right PCI DSS SAQ

You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.

You can find out what businesses need to do to complete the PCI SAQ A Form in our article.

Who should use PCI SAQ A?

SAQ A is for merchants that have their card data processed by approved third parties. This group may include companies that sell via e-commerce or phone/mail order channels.

For PCI SAQ A, merchants never directly communicate with Cardholder Data electronically via a text file, excel file, e-mail, database, or other software on their computers. Unless you receive your customer’s data electronically in paper files or paper receipts, they will never actually see it.

The PCI DSS has identified a set of requirements that apply to SAQ A merchants as follows:

• If your organization only accepts card-not-present transactions (e-commerce or phone/mail order)
• If the processing of cardholder data is entirely outsourced to third-party service providers approved by PCI DSS
• Your organization does not electronically store, process, or transmit any cardholder data across your networks or facilities, but only rely on a third party to perform all these functions.
• If your organization indicates that any third party that performs the storage, processing or transmission of cardholder data is PCI DSS compliant
• If the cardholder information kept by the organization is on paper and the documents are not received electronically

For SAQ A, you must never see a customer’s physical card and accept payments by phone, traditional mail, or an e-commerce website. In this way, it is essential to remember that you will only be taken as a merchant who conducts transactions with no physical card.

What are the requirements of PCI SAQ A?

SAQ A is one of the easiest to deal with for any company expected to be PCI DSS compliant. It is also the smallest SAQ type created for environments where the risk of accessing payment card data is shallow.

The following PCI DSS requirements apply to SAQ A:

• PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
• PCI DSS Requirement 8: Define and verify access to system components
• PCI DSS Requirement 9: Physical access must be limited to cardholder data
• PCI DSS Requirement 12: Maintain a policy that discusses information security for all employees

You can self-assess with PCI SAQ A if you meet the above requirements. PCI SAQ A covers 4 PCI DSS requirements, but some PCI DSS requirements have been reduced.

PCI SAQ A is one of the short SAQs with 22 questions because the companies involved do not directly process any card data and transfer all cardholder data functions to third parties.

However, because they have access to reports and receipts containing cardholder data, they must ensure that these accesses are secure and comply with applicable PCI DSS policies and procedures.

Sample Questions You Should Answer for PCI SAQ A

There are a total of 22 questions that you have to answer in SAQ A. Some questions you have to answer for SAQ A are:

• Are the vendor’s default credentials always changed?
• Are all users given a unique ID to access system components or cardholder data before use?
• Are all media physically stored securely?
• Is tight control of media distribution both inside and outside?
• Is there a consistently tight control over media storage and accessibility?
• Are media that are not needed for commercial or legal reasons destroyed?
• Are policies and procedures for controlling service providers maintained and implemented?
• Is there a written agreement between you and the service provider that the company is responsible for the card’s data protection?
• Is there a process to engage service providers?
• Is there an established process to monitor service providers’ PCI DSS compliance status at least annually?

What are the differences between SAQ A and SAQ A-EP?

Many businesses often confuse these two SAQ forms and wonder if they are the same. Although SAQ A and SAQ A-EP are very similar, there are a few differences between them. Primarily, both include e-commerce merchants who transfer card data to a third-party service provider.

The significant difference between the two is that SAQ A includes service providers who delegate full responsibility for card data to the third party. Also, SAQ A-EP involves merchants checking how cardholder data is routed to a PCI DSS-validated third-party payment processor.

If a merchant’s e-commerce website is configured to redirect customers to a PCI-compliant third-party website before requesting cardholder data, or if iFrame is used to collect cardholder data third-party PCI-compliant provider, the merchant has the right to use SAQ A.

In other words, if your website uses an iFrame or hosted page implementation, you will be responsible for complying with SAQ A. In both cases, the user is redirected to a payment page hosted by the service provider. This type of payment can be made by providing a redirect to another page or iframe on the same page where the user is redirected to another page.

E-commerce merchants using technologies or transactions such as JavaScript or direct HTTP post methods to direct the stream of cardholder data from the customer directly to the compatible third-party payment gateway must use SAQ A-EP.

In other words, if you use a post method or JavaScript implementation, you will be responsible for complying with SAQ A-EP. Because in both cases, you’re capturing information via your form using actions and methods to send data to an API.

Examples of e-commerce applications handled by SAQ A are as follows;

• Merchants do not have access to the website, and the website is hosted and managed by a fully compatible third-party payment processor.
• The merchant website provides an iFrame to a PCI DSS compliant third party processor that simplifies the payment process.
• The merchant website contains a URL link that redirects users from the merchant’s website to a PCI DSS compliant third party processor and simplifies the payment process.

How to Complete the PCI DSS Self-Assessment Questionnaire A?

There are several answers to each question on the SAQ A form that you can indicate your company’s status regarding the requirement. Your answers to the items may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.

You can complete the SAQ A form by following the steps below in order:

• First, determine the applicable SAQ for your environment.
• Confirm that your environment’s scope is appropriately defined and meets the eligibility criteria for the SAQ you are using.
• Assess your environment for compliance with applicable PCI DSS requirements for SAQ A.
• Fill out all required SAQ A form sections.
• Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.

I have an e-commerce site, and I never collect customer data, so am I eligible for PCI SAQ A?

You have the right to comply with PCI SAQ A only if your e-commerce website does not accept customer data and does not control how customers or their data are routed to an approved third-party payment processor.

Additional tips for completing the PCI SAQ Form A

Update Service Provider’s security policies: Even if you do not directly process card data, your service providers must be PCI compliant. You should regularly review and verify that your security agreements with them are updated.

Train your employees: Compliance of your personnel with your relevant policies and procedures ensures that the security environment works correctly. Therefore, train your staff at least once every three months, even if not monthly.

Work with a QSA / security expert: Finding an expert to help you ensure your PCI DSS compliance will save you a lot of convenience and time.

You can view the latest (version 3.2.1) PCI Self-Assessment Questionnaire A pdf form here.